VISA Basic Auth

ID

visa_basic_auth

Severity

critical

Vendor

Visa

Family

Password

Description

VISA is a financial services corporation which facilitates electronic funds transfers throughout the world, most commonly through Visa-branded credit cards, debit cards and prepaid cards. Its online payment service provides service, through its APIs, to platform businesses such as crowdfunding sites, marketplaces and small business software companies. It also offers partners fraud and risk protection.

This detector aims at catching basic authentication credentials used to perform requests.

Security

Any leakage of the authentication credentials is critical.

Examples

The following example shows a hardcoded VISA authentication credentials in a Properties script:

visa.username=UaI1o2dgy2ZFPYRqrgmfo4SRogL6w1BYaZULSRGyDBOlVUJjkP
visa.password=ZeLXpQwS0205M3OzfA4O8yKcPHrYhVOFAdlaIjXJ

Mitigation / Fix

  1. Remove the sensitive data from the source code or committed configuration file. Avoid hardcoded secrets, and instead place the keys in a 'secrets vault'.

  2. Follow your policy for handling leaked secrets, which typically require revoking the credentials in the target system(s).

  1. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://developer.visa.com/